Monday, May 30, 2011

Permissions Issues in Dynamics CRM 2011 when Users Inherit Roles from Teams

Setting up a CRM demo I noticed what appears to be a problem in the CRM 2011 security model which affects users whom only inherit a Security Role from their membership in a Team, and have no roles of their own.

My user is in a Team, and the Team has the out-of-the-box Customer Service Representative role. But my user can’t create a Service Activity like he should be able to:

image

I thought the team permissions were right for creating Activities, but MSDN just has a ‘coming soon page’ for both the roles and doesn’t even list the Activity entity so I wasn’t getting much help there.

Some error dialogs in CRM have a little ‘view log’ button, which helps, but this one didn’t. However the TechNet article ‘Troubleshooting Microsoft Dynamics CRM’ was quite helpful here (written for CRM 4.0 but much is still relevant), describing how you activate the detailed error dialog by modifying this setting in the app.config:

<add key="DevErrors" value="On"/>

image

This gave me something a bit more concrete to go on:

SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: {blah}, OwnerIdType: 8 and CallingUser: {blah}. ObjectTypeCode: 2500, objectBusinessUnitId: {blah}, AccessRights: CreateAccess

Ok, so I can’t create something. But interestingly a bit of poking about in the metadata schema in the database (Metadata.Entity) reveals ObjectTypeCode 2500 is not actually Activity, as I suspected, but UserEntityUISettings.

Hmm. The team’s got permissions for that too I thought:

image

... but that permission can only be applied at the user level. So I wondered if it wasn’t transitive over the Team correctly, and added the user directly to the role.

And then it all worked.

Perhaps there is an explanation somewhere, but I’m damned if I can find it. Services and Service Activities are new in 2011 and seem to be skipped entirely by the two CRM books I looked at. There is some documentation around the permissions model, but it’s incomplete, and most blog posts I’ve read seem to suggest diagnosing issues is a bit of a crapshoot, which is pretty piss poor for a business-orientated application if you ask me. And I’d hate to have had to diagnose this in the cloud, without access to the database...

8 comments:

Anonymous said...

Thank you so much, I ran into this same issue.

CMercs said...

My thought is, and i'm just talking out of my neck without testing anything, is that user level privileges are not transferred, but business and organization level privileges are.

AllStoneTech

Anonymous said...

This was doing my head in - then I found on Richard Knudson's blog http://www.dynamicscrmtrickbag.com/2011/06/16/managing-users-teams-and-security/ whiuch pointed here and so far so good

Thnaks heaps

friendlyrice said...

Hi,

Don't know if anyone has revisted this issue or not but the reason the SA can't be created is because with the role assigned to the team, it means the team is able to "create" the record (i.e. the team becomes the owner of the SA).

The error happening here is because the record being created is under the context of the logged in user, whom doesn't have a sec. role, hence an error.

The team has to be treated like a separate user in this case when it comes to creation of records in CRM; while the user does inherit permissions from the team they belong to, it doesn't mean they can still create records in the context of the individual user.

The below example kind of demonstrates this with logging into CRM.

Chris

(below is cross posted to Richard Knudson's blog)

Sorry to bump an old article, but just want to touch upon logging into CRM with just a role on the team.

Here is my scenario:

* User A w/ no individual security role
* Team A has a role with the basic privileges to login to CRM
+ User Entity UI Settings
+ User EntityInstanceData

* User A added to Team A

User A is able to login to CRM w/out a security role attached to them.

By this test, it seems that the user does inherit the team privileges and doesn’t require a role tied to itself.

Does seem to make things a lot easier in terms of user/role management.

Simon Hetzel said...

Ah the penny has finally dropped with regard to friendlyrice's comment

I've found (using CRM Online) that the work around in Richard's blog and elsewhere is not sufficient.

Any user-level create priviledges on the team seem to only allow team members to create records with the owner explicitly set to the team itself (and not to themselves or any of the other team members).

Personally I consider that a bug (although Microsoft would doubtless consider otherwise). Is this your experience also?

Simon Hetzel said...

Actually I’ve just realised this applies to ALL user-level privileges…

friendlyrice said...

Precisely!! You almost have to treat the team as a user itself (and rightfully so because a team is of Owner type).

So unless the owner is set to the team, the record creation will fail.

I wouldn't call it a bug as much as opposed to team ownership just extending the ownership model; it is not a way to solely and universally inherit security privileges

chandu shekhar said...

I have checked the same in CRM online I am not facing this issue. I have created a new Team with Customer representative role. added new user who does not contain any roles. I logged into CRM with new user credentials, I am able tocreate service activity...

Popular Posts